The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.

The RPM Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.

Multiple flaws were found in the way the RPM library parsed package headers. An attacker could create a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code.

Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network remain secure due to certificate checks performed on the secure connection.

All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.

Bug Fixes

The "freshen" (rpm -F/--freshen) operation did not consider the architecture of a system when selecting update candidates, which caused either misleading error messages or packages being updated to a different architecture inappropriately on multilib systems. RPM now requires an exact architecture match between packages on multilib systems to perform the freshen operation.

RPM previously forced the umask of a process to "022" at library initialization, which could cause unwanted behavior for API users, especially in python, where importing the rpm module would silently change the umask. The umask is now only changed for the duration of a transaction and restored to its previous value afterwards.

Package signing could result in a misleading passphrase-related error message when the passphrase was correct but other issues (such as an expired key) prevented signing. Since RPM relies on GnuPG to perform package-signing, it has no knowledge of such details and cannot report them. However, to avoid this situation, any error messages from GnuPG are now passed to RPM users where they were previously silenced unless verbose mode was used when signing packages.

Using custom signing parameters such as a different digest algorithm, it was possible to successfully sign a package that RPM could not validate due to differencies in supported algorithms between GnuPG and NSS. RPM now gives an error message when unsupported parameters are used in package signing.

Package (re)signing could lead to multiple bad signatures being added to a package, rather than being replaced appropriately, because of flawed heuristics used in determining the signature type. Pre-existing and newly created signatures are now compared in detail to precisely determine the need to replace or skip signatures.

Attempting to build packages that contained fonts when the fontconfig package was not installed sometimes led to the build failing with a "getOutputFrom(): Broken pipe" error because of flaws in the dependency generation system. The "font provides" helper script now always flushes stdin to prevent this from occurring. Additionally, the error message has been made more informative to make catching such issues easier in the future.

Attempting to verify packages with "%verifyscript" caused the script to run twice and fail to reflect a failure in response to an RPM exit code. These were simple logic errors, which have been fixed in this update.

When both the primary and secondary architecture versions of a package were installed and then updated or erased, RPM failed to erase all files of the previous installation because erasure order was incorrect in cases where order was not dictated by other dependencies. Erasure ordering between primary and secondary architecture packages is now handled correctly in this situation.